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Concurrent constraint programming (ccp) is a well-established model for concurrency that singles 
out the fundamental aspects of asynchronous systems whose agents (or processes) evolve by post- 
ing and querying (partial) information in a global medium. Bisimilarity is a standard behavioural 
equivalence in concurrency theory. However, only recently a well-behaved notion of bisimilarity for 
ccp, and a ccp partition refinement algorithm for deciding the strong version of this equivalence have 
been proposed. Weak bisimiliarity is a central behavioural equivalence in process calculi and it is ob- 
tained from the strong case by taking into account only the actions that are observable in the system. 
Typically, the standard partition refinement can also be used for deciding weak bisimilarity simply 
by using Milner's reduction from weak to strong bisimilarity; a technique referred to as saturation. 
In this paper we demonstrate that, because of its involved labeled transitions, the above-mentioned 
saturation technique does not work for ccp. We give an alternative reduction from weak ccp bisimi- 
larity to the strong one that allows us to use the ccp partition refinement algorithm for deciding this 
equivalence. 

1 Introduction 

Since the introduction of process calculi, one of the richest sources of foundational investigations stemmed 
from the analysis of behavioural equivalences: in any formal process language, systems which are syn- 
tactically different may denote the same process, i.e., they have the same observable behaviour. 

A major dichotomy among behavioural equivalences concerns strong and weak equivalences. In 
strong equivalences, all the transitions performed by a system are deemed observable. In weak equiv- 
alences, instead, internal transitions (usually denoted by t) are unobservable. On the one hand, weak 
equivalences are more abstract (and thus closer to the intuitive notion of behaviour); on the other hand, 
strong equivalences are usually much easier to be checked (for instance, in [17] a strong equivalence is 
introduced which is computable for a Turing complete formalism). 

Strong bisimilarity is one of the most studied behavioural equivalence and many algorithms (e.g., 
Pmfm ikZl) have been developed to check whether two systems are equivalent up to strong bisimilarity. 
Among these, the partition refinement algorithm [ 15]] is one of the best known: first it generates the state 
space of a labeled transition system (LTS), i.e., the set of states reachable through the transitions; then, it 
creates a partition equating all states and afterwards, iteratively, refines these partitions by splitting non 
equivalent states. At the end, the resulting partition equates all and only bisimilar states. 
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procurement agency (DGA) with two PhD grants. 
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Weak bisimilarity can be computed by reducing it to strong bisimilarity. Given an LTS — ■> labeled 
with actions a,b,... one can build ==> as follows. 



Q P^Px^Qi^Q 



P=^>Q P^P P^Q 

Since weak bisimilarity on — > coincides with strong bisimilarity on then one can check weak 
bisimilarity with the algorithms for strong bisimilarity on the new LTS ==>. 

It is worth pointing out that an alternative presentation of =4> with sequences of actions as labels is 
also possible lfl9l . Nevertheless, the resulting transition system may be infinite-branching and hence not 
amenable to automatic verification using standard algorithms such as partition refinement. 

Concurrent Constraint Programming (ccp) ll26l is a formalism that combines the traditional algebraic 
and operational view of process calculi with a declarative one based upon first-order logic. In ccp, pro- 
cesses (agents or programs) interact by adding (or telling) and asking information (namely, constraints) 
in a medium (the store). 

Inspired by CJ|6l, the authors introduced in [2 1 both strong and weak bisimilarity for ccp and showed 
that the weak equivalence is fully abstract with respect to the standard observational equivalence of ||27| . 
Moreover, a variant of the partition refinement algorithm is given in [3 ] for checking strong bisimilarity 
on (the finite fragment) of concurrent constraint programming. 

In this paper, first we show that the standard method for reducing weak to strong bisimilarity does 
not work for ccp and then we provide a way out of the impasse. Our solution can be readily explained 
by observing that the labels in the LTS of a ccp agent are constraints (actually, they are "the minimal 
constraints" that the store should satisfy in order to make the agent progress). These constraints form 
a lattice where the least upper bound (denoted by U) intuitively corresponds to conjunction and the 
bottom element is the constraint true. (As expected, transitions labeled by true are internal transitions, 
corresponding to the z moves in standard process calculi). Now, rather than closing the transitions just 
with respect to true, we need to close them w.r.t. all the constraints. Formally we build the new LTS with 
the following rules. 

P-^Q P=^qJ=^R 



P^Q P ^p P^R 

Note that, since U is idempotent, if the original LTS has finitely many transitions, then also =^4> 
is finite. This allows us to use the algorithm in to check weak bisimilarity on (the finite fragment) 
of concurrent constraint programming. We have implemented this procedure in a tool that is available 

at |http: //www, lix . polytechnique . f r/~andresaristi/checkers/ To the best of our 



knowledge, this is the first tool for checking weak equivalence of ccp programs. 

This paper is structured as follows. In Sec. |2] we recall the partition refinement method and the 
standard reduction from weak to strong bisimilarity. We also recall the ccp formalism, its equivalences, 
and the ccp partition refinement algorithm. We then show why the standard reduction does not work for 
ccp. Finally, in Sec. [3] we present our reduction and show its correctness. 

Related Work. Ccp is not the only formalism where weak bisimilarity cannot be naively reduced 
to the strong one. Probably the first case in literature can be found in QUI that introduces an algorithm 
for checking weak open bisimilarity of % -calculus. This algorithm is rather different from ours, since it 
is on-the-fly iPTTI and thus it checks the equivalence of only two given states (while our algorithm, and 
more generally all algorithms based on partition refinement, check the equivalence of all the states of a 
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given LTS). Also @ defines weak labelled transitions following the above-mentioned standard method 
which does not work in the ccp case. 

Analogous problems to the one discussed in this paper arise in Petri nets ll28l[T0l . in tile transition 
systems lfT3l |9) and, more generally, in the theory of reactive systems Ifl4l (the interested reader is 
referred to [29 ] for an overview). In all these cases, labels form a monoid where the neutral element is 
the label of internal transitions. Roughly, when reducing from weak to strong bisimilarity, one needs 
to close the transitions with respect to the composition of the monoid (and not only with respect to the 
neutral element). However, in all these cases, labels composition is not idempotent (as it is for ccp) and 
thus a finite LTS might be transformed into an infinite one. For this reason, this procedure applied to the 
afore mentioned cases is not effective for automatic verification. 

2 From Weak to Strong CCP Bisimilarity: Saturation Approach 

The problem of whether two states are weakly bisimilar in traditional labeled transitions systems is 
typically reduced to the problem of whether they are strongly bisimilar which can be efficiently verified 
using partition refinement. We shall refer to this standard reduction as Milner's saturation method 0]. 

In this section we shall show that this method does not work for ccp. More precisely, Milner's 
reduction will produce an equivalence that does not correspond to the one expected. First, we shall recall 
the partition refinement algorithm for strong bisimilarity and Milner's saturation method. Then we show 
the corresponding notions in ccp. 

Standard Partition Refinement. In this section we recall the partition refinement algorithm lfl~5l for 
checking bisimilarity over the states of a labeled transition system. Remember that an LTS can be 
intuitively seen as a graph where nodes represent states and arcs represent transitions between states. A 
transition P Q between P and Q labeled with a can be typically thought of as an evolution from P 
to Q provided that a condition a is met. Transition systems can be used to represent the evolution of 
processes in calculi such as CCS and the % -calculus |fT9ll20ll . In this case states correspond to processes 
and transitions are given by the operational semantics of the calculus. 

Let us now introduce some notation. Given a set S, a partition of S is a set of non-empty blocks, 
i.e., subsets of S, that are all disjoint and whose union is S. We write {B\} . . . {B n } to denote a partition 
consisting of (non-empty) blocks B\,...,B n . A partition represents an equivalence relation where equiv- 
alent elements belong to the same block. We write P&Q to mean that P and Q are equivalent in the 
partition . 

The partition refinement algorithm (see Alg. []} checks bisimilarity as follows. First, it computes 
IS* , that is the set of all states that are reachable from the set of initial state IS. Then it creates the 
partition where all the elements of IS* belong to the same block (i.e., they are all equivalent). After 
the initialization, it iteratively refines the partitions by employing the function F, defined as follows: for 
all partitions PF(£P) Q iff 

• if P P' then exists Q' s.t. Q-^Q' and P' 

The algorithm terminates whenever two consecutive partitions are equivalent. In such a partition two 
states belong to the same block iff they are bisimilar. 

Standard reduction from weak to strong bisimilarity. As pointed out in the literature (Chapter 3 
from [24 1), in order to compute weak bisimilarity, we can use the above mentioned partition refinement. 
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Algorithm 1 Partition-Refinement (IS) 



Initialization 

1. IS* is the set of all processes reachable from IS, 

2. 0>°:={IS*}, 

Iteration ^ n+1 := ¥(3» n ), 

Termination If 0» n = &> n+x then return @> n . 



a j true a true , 

7 ' A/TT? O 7 ? 7l ^ 72 r 7 



MR1 ' a ' MR2 ^ MR3 ^~ 

r^r 7^7 y=>i 



Table 1: Milner's Saturation Method 



The idea is to start from the graph generated via the operational semantics and then saturate it using 
the rules described in Tab. [T]to produce a new labeled transition relation =>. Recall that — >* is the 
reflexive and transitive closure of the transition relation — >. Now the problem whether two states are 
weakly bisimilar can be reduced to checking whether they are strongly bisimilar wrt =>■ using partition 
refinement. As we will show later on, this approach does not work in a formalism like concurrent 
constraint programming. We shall see that the problem involves the ccp transition labels which, being 
constraints, can be arbitrary combined using the lub operation U to form a new one. Such a situation 
does not arise in CCS-like labelled transitions. 

Notation 1. When the label of a transition is true we will omit it. Namely, henceforth we will use y — > / 

, / , true j , true , 

and y 7 to denote y — > j an d 7 7- 



2.1 CCP 

We shall now recall ccp and the adaptation of the partition refinement algorithm to compute bisimilarity 
in ccp 0. 

Constraint Systems. The ccp model is parametric in a constraint system (cs) specifying the structure 
and interdependencies of the information that processes can ask or and add to a central shared store. 
This information is represented as assertions traditionally referred to as constraints. Following (5l [HI 
we regard a cs as a complete algebraic lattice in which the ordering C is the reverse of an entailment 
relation: c C d means d entails c, i.e., d contains "more information" than c. The top element false 
represents inconsistency, the bottom element true is the empty constraint, and the least upper bound 
(lub) U is the join of information. 

Definition 1 (cs). A constraint system (cs) C = (Con,Conr,,Q : U,true,false) is a complete algebraic 
lattice where Con, the set of constraints, is a partially ordered set wrt C, Con^ is the subset of compact 
elements of Con, U is the lub operation defined on all subsets, and true, false are the least and greatest 
elements of Con, respectively. 

Remark 1. We shall assume that the constraint system is well-founded and, for practical reasons, that 
its ordering C is decidable. 

We now define the constraint system we use in our examples. 
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Rl(teU(c),d) — >( S top,rfU C ) R2 {ask(c) - pd) ^ {pd) R3 ( P || e,rf>— ^^HG.rf') <P + e,rf>^(P',rf') 

Table 2: Reduction semantics for ccp (the symmetric rules for R3 and R4 are omitted). 

Example 1. Let Var be a set of variables and CO be the set of natural numbers. A variable assignment is 
a function il : Var — > CO. We use gf to denote the set of all assignments, &(.£$) to denote the powerset 
of szf, the empty set and H the intersection of sets. Let us define the following constraint system: The 
set of constraints is &(&f). We define c Qd iff c Z> d. The constraint false is 0, while true is srf. Given 
two constraints c and d, cUd is the intersection cDd. We will often use a formula like x < n to denote 
the corresponding constraint, i.e., the set of all assignments that map xto a number smaller than n. 

Processes We now recall the basic ccp process constructions. For the sake of space and simplicity we 
dispense with the recursion operator, which is defined in the standard way as in CCS or other process 
algebras, and the local/hiding operator (see [2] for further details). 

Syntax. Let us presuppose a constraint system C = {Con, Cono, C, U, true, false). The ccp processes 
are given by the following syntax: 

P,Q ::= stop | tell(c) | ask(c) -> P | P || Q \ P + Q 

where c € Cono. Intuitively, stop represents termination, tell(c) adds the constraint (or partial informa- 
tion) c to the store. The addition is performed regardless the generation of inconsistent information. The 
process ask(c) — > P may execute P if c is entailed from the information in the store. The processes P \\Q 
and P + Q stand, respectively, for the parallel execution and non-deterministic choice of P and Q. 

Reduction Semantics. The operational semantics is given by transitions between configurations. A 
configuration is a pair {P,d) representing a state of a system; d is a constraint representing the global 
store, and P is a process, i.e., a term of the syntax. We use Conf with typical elements y, to 
denote the set of configurations. The operational model of ccp is given by the transition relation — >Q 
Conf x Conf defined in Tab. [2 The rules in Tab. |2]are easily seen to realize the above intuitions. 

Barbed Semantics. The authors in ||2l introduced a barbed semantics for ccp. Barbed equivalences 
have been introduced in ETI for CCS, and have become the standard behavioural equivalences for for- 
malisms equipped with unlabeled reduction semantics. Intuitively, barbs are basic observations (predi- 
cates) on the states of a system. In the case of ccp, barbs are taken from the underlying set Cono of the 
constraint system. A configuration 7= (P,d) is said to satisfy the barb c (J i c ) iff c C d. Similarly, 7 
satisfies a weak barb c (7 JJ. C ) iff there exist / s.t. 7 — >* / \. c . 

In this context, the equivalence proposed is the saturated bisimilarity (7]|6l. Intuitively, in order for 
two states to be saturated bisimilar, then (i) they should expose the same barbs, (ii) whenever one of them 
moves then the other should reply and arrive at an equivalent state (i.e. follow the bisimulation game), 
(iii) they should be equivalent under all the possible contexts of the language. In the case of ccp, it is 
enough to require that bisimulations are upward closed as in condition (iii) below. 

Definition 2 (Saturated Barbed Bisimilarity). A saturated barbed bisimulation is a symmetric relation 
& on configurations s.t. whenever (71,72) € & with Ji = {P,c) and Y2 = (Q,d) implies that: (i) ifj\ \. e 
then 72 \. e , (ii) ifji — > 7i then there exists Y 2 s.t. 72 — > Y2 and (Yi,Y 2 ) ^ ^> f or ever y a £ Cono, 
((P, cUfl) , (Q, dVAa)) ZzM. We say that j\ and 72 are saturated barbed bisimilar ( 71 72) if there exists 
a saturated barbed bisimulation 2% s.t. (71 , 72) £ Si. 
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LRl(tell( C M>^<sto M U C > LR2 ° f ^ £ C ™° t ^ > LR3 (M^tif^) LR4 (M^V) 



(ask(c) -> P,rf) (/>,</□«> " (P \\ Q,d) {P' \\ Q,d') " {P + Q,d) ^ {P',d') 

Table 3: Labeled semantics for ccp (the symmetric rules for LR3 and LR4 are omitted). 

T = teU(true) P = ask (x < 7) -> r g = ask (x < 5) ^ T P = ask (z < 5) ->■ (P + Q) 
T' = tell(y =1) 5 = ask (z < 7) ->• P 2' = ask (x < 5) -> T R' = ask (z < 5) ->■ (P + fi') 





(P + g',z<5) (7",z<5U*<5) -^-> (stop,z<5Ux<5Uy= 1) 

v <T 7 fntp 

P,z<l) — » (r,z<7U*<7) > (stop,z<7Ux<7) 

-V <C 5 true 

P + Q,z<5) > (r,z<5Ux<5) > (stop,z<5Ux<5) 



stop,z < 5 U.i < 7) 



Figure 1 : The LTS of the running example (IS ={(/?' + S, true) , (S, true), (R + S, true) }). 

We use the term "saturated" to be consistent with the original idea in 00. However, "saturated" in 
this context has nothing to do with the Milner's "saturation" for weak bisimilarity. In the following, we 
will continue to use "saturated" and "saturation" to denote these two different concepts. 

Example 2. Take T = tell(true), P = ask (x < 7) — > T and Q = ask (x < 5) — > T. You can see 

that (P,true) jL s b(Q,true), since (P,x < 1) — >, while (Q,x < 7)-/-h Consider now the configuration 
{P + Q, true) and observe that (P + Q, true) ~ s b(P, true) . Indeed, for all constraints e, s.t. x < 1 C e, both 
the configurations evolve into (T,e), while for all e s.t. i<7^ e, both configurations cannot proceed. 
Since x < 1 □ x < 5, the behaviour of Q is somehow absorbed by the behaviour of P. 

As we mentioned before, we are interested in deciding the weak version of the notion above. Then, 
weak saturated barbed bisimilarity (& s b) is obtained from Def. [2]by replacing the strong barbs in condi- 
tion (z) for its weak version (JJ.) and the transitions in condition (it) for the reflexive and transitive closure 
of the transition relation ( — ►•*). 

Labeled Semantics. As explained in [2|, in a transition of the form {P,d) {P',d') the label a 
represents a minimal information (from the environment) that needs to be added to the store d to evolve 
from (P,d) into (P',d f ), i.e., (P,d\Ja) — > (P',d'). The labeled transition relation — > C Conf x Cono x 
Conf is defined by the rules in Tab. [3] The rule LR2, for example, says that (ask (c) — > P,d) can 
evolve to (P,d\Ja) if the environment provides a minimal constraint a that added to the store d entails 
c, i.e., a G min{a € Cono \ c C d U a}. Note that assuming that (Con, C) is well-founded (RemarkfT)) is 
necessary to guarantee that a exists whenever {a € Cono | c C d U a } is not empty. The other rules are 
easily seen to realize the above intuition. Fig. Q] illustrates the LTSs of our running example. 

The labeled semantics is sound and complete wrt the unlabeled one. Soundness states that (P, d) 
(P',d') corresponds to our intuition that if a is added to d, P can reach (P',d'). Completeness states that 
if we add a to (the store in) (P,d) and reduce to (P' ,d'), it exists a minimal information a C a such that 
(P,d) -A (P',d") with dTQd'. 

The following lemma is an extension of the one in [2 ] which considers nondeterministic ccp. 
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Lemma 1 (Correctness of — >). (Soundness) If (P,c) — > (P',c') then (P,c\Ja) — > (F \c'). (Com- 
pleteness) If {P,c Li a) — > {P',c') then there exists a and b s.t. (P,c) (F,c") where a\Jb = a and 
c"Ub = d. 

The above lemma is central for deciding bisimilarity in ccp. In fact, we will show later that for the 
weak (saturated) semantics the completeness direction does not hold. From this we will show that the 
standard reduction from weak to strong does not work. 

2.1.1 Equivalences: Saturated Barbed, Irredundant and Symbolic Bisimilarity 

In this section we recall how to check ~. v £ with a modified version of partition refinement introduced in 
||3l . Henceforth, we shall refer to this version as ccp partition refinement (ccp-PR). 

The main problem with checking is the quantification over all contexts. This problem is ad- 
dressed in [3] following the abstract approach in JS]. More precisely, we use an equivalent notion, 
namely irredundant bisimilarity ~/, which can be verified with ccp-PR. As its name suggests, ~/ only 
takes into account those transitions deemed irredundant[j] However, technically speaking, going from 
~. s i to ~/ requires one intermediate notion, so-called symbolic bisimilarity. These three notions are 
shown to be equivalent, i.e., = ~ sym = ~/. In the following we recall all of them. 

Let us first give some auxiliary definitions. The first concept is that of derivation. Consider the 
following transitions (taken from Fig. []]): 

(a) (P + Q,z<5) ^ {T,z <5Ux<7) (b) (P + Q,z<5) ^ (T,z<5Ux<5) 

Transition (a) means that for all constraints e s.t. x < 7 is entailed by e (formally x <7 LZe), the transition 
(c) (P + Q,z < 5 Lie) — > (T,z < 5 Lie) can be performed, while transition (b) means that the reduction 
(c) is possible for all e s.t. x < 5 C e. Since x < 7 C x < 5, transition (b) is "redundant", in the sense that 
its meaning is "logically derived" by transition (a). The following notion captures the above intuition: 

Definition 3 (Derivation \~d). We say that the transition t = (P,c) — > (P',c ! ) derives t = (P,c) — > 
(P',c") (written t hot') iff there exists e s.t. a Lie = j8 and c' Lie = c". 

One can verify in the above example that (a) \~o (b), and notice that both transitions arrive at the 
same process F, the difference lies in the label and the store. Now imagine the situation where the initial 
configuration is able to perform another transition with j8 (as in t'), let us also assume that such transition 
arrives at a configuration which is equivalent to the result of t' . Therefore, it is natural to think that, 
since t dominates t', such new transition should also be dominated by t. Let us explain with an example, 
consider the two following transitions: 

(e) (R + S, true) ^>(P,z<7) (f) (R + S, true) ^(P + Q,z<5) 

Note that transition (f) cannot be derived by other transitions, since (e) \fr> (f). Indeed, P is syntactically 
different from P + Q, even if they have the same behaviour when inserted in the store z < 5, i.e., (P,z < 
5) Aj sb{P + Q,z < 5) (since ~ 4 /, is upward closed). Transition (f) is also "redundant", since its behaviour 
"does not add anything" to the behavior of (e). The following definition encompasses this situation: 

a P 

Definition 4 (Derivation w.r.t M, h^). We say that the transition t = y — > J\ derives t = y — > y> w.r.t. 

to & (written t h<g» t') iff there exists Y 2 s.t. thoY Y 2 and Y 2 &Y2- 



Redundancy itself is not trivial to check, for more information go to (3). 
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Then, when ffl represents some sort of equivalence, this notion will capture the situation above 
mentioned. Notice that \~o is \-@ with M being the identity relation (id). Now we introduce the concept 
of domination, which consists in strengthening the notion of derivation by requiring labels to be different. 

Definition 5 (Domination >-d)- We say that the transition t = (P,c) — > (P ,c ) dominates t = (P,c) — > 
(P',c") (written t y D t') iff t \- D t' and a^fi. 

Similarly, as we did for derivation, we can define domination depending on a relation. Again, >~o is 
just >-c$ when 3% is the identity relation (id). 

Definition 6 (Redundancy and Domination w.r.t ffl, y^g). We say that the transition t = (P,c) —> (P',c') 

dominates t' = (P,c) (Q,d) w.r.t. to St [written t t') iff there exists c" s.t. t >-d (P,c) {P',c") 
and (P,c")3?(Q,d). Also, a transition is said to be redundant when it is dominated by another, otherwise 
it is said to be irredundant. 

We are now able to introduce symbolic bisimilarity. Intuitively, two configurations 71 and 72 are 
symbolic bisimilar iff (i) they have the same barbs and (ii) whenever there is a transition from 71 to Y\ 
using a, then we require that 72 must reply with a similar transition 72 — > Yi (where y[ and Y 2 are now 
equivalent) or some other transition that derives it. In other words, the move from the defender does not 
need to use exactly the same label, but a transition that is "stronger" (in terms of derivation \~o) could 
also do the job. Formally we have the definition below. 

Definition 7 (Symbolic Bisimilarity). A symbolic bisimulation is a symmetric relation 3% on config- 
urations s.t. whenever (71,72) G ffl with 71 = (P,c) and 72 = (Q,d) implies that: (i) if ji 4<? then 

.. . a j8 

Jl \. e , (ii) if (P,c) — > (r,c) then there exists a transition t = (Q,d) — > (Q! ' ,d") and a store d s.t. 

t h D (Q,d) -A (Q',d') and (P' \d)3H@ \d!) We say that 71 and Ji are symbolic bisimilar ( 71 ~ yym 72J if 
there exists a symbolic bisimulation M s.t. (71 , 72) G 8%. 

Example 3. To illustrate the notion of ~ S)m we take (P + Q, true) and (P, true) from Ex. [2] We provide a 
symbolic bisimulation ffl = {((P + Q, true), (P, true))} U id to prove (P + Q, true) ~ sym (P, true). We take 
the pair ((P + Q,true), (P,true)). The first condition in Def. |7]is trivial. For the second one, we take 

(P + Q, true) - — > (T,x < 5) and one can find transitions t = (P, true) — > (T,x < 7) and t = (P, true) '- — > 
(T,x < 5) s.t. t ho t' and (T,x < 5)3$ (T,x < 5). The restant pairs are trivially verified. 

And finally, the irredundant version, which follows the standard bisimulation game where labels need 
to be matched, however only those transitions so-called irredundant must be considered. 
Definition 8 (Irredundant Bisimilarity). An irredundant bisimulation is a symmetric relation 3$ on con- 
figurations s.t. whenever (71,72) G 3i implies that: (i) if J\ \. e then 72 \, e , (ii) if 71 — > y[ and it is 
irredundant in 3$ then there exists Y 2 s.t. 72 — > Y 2 and (^ , Y2) G 3$. We say that 71 and 72 are irredun- 
dant bisimilar ( 71 ~/ 72) if there exists an irredundant bisimulation 3? s.t. (71 , 72) G 3?. 
Example 4. We can verify that the relation 3? in Ex. [3] is an irredundant bisimulation to show that 
(P + Q,true)<^i(P,true) . We take the pair ((P + Q,true), (P,true)). The first item in Def. [8]is obvious. 

Then take (P + Q,true) ^> (T,x < 7), which is irredundant according to Def. [6] then there exists a 

x<7 

(T,x < 1) s.t. (P,true) : — > (T,x < 1) and ((T,x < 7), (T,x < 7)) G 31. The other pairs are trivially proven. 

Notice that (P+Q,true) ^ (T,x<7) >-<%> (P + Q, true) ^ (T,x<5) hence (P + Q, true) ^ (T,x<5) 
is redundant, thus it does not need to be matched by (P, true) . 

As we said at the beginning, the above-defined equivalences coincide with ~ sb . The proof, given in 
0, strongly relies on Lemma [T] 

Theorem 1. (P,c)~i{Q,d) iff (P,c)~ sym (Q,d) iff (P,c)~ sb (Q,d) 
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2.1.2 Partition Refinement for CCP 

In the authors introduced an algorithm for checking ~ s £, by modifying the partition refinement algo- 
rithm so that to exploit ~/. First, since configurations satisfying different barbs are surely different, it can 
be safely started with a partition that equates all and only those states satisfying the same barbs. Note that 
two configurations satisfy the same barbs iff they have the same store. Thus, we take as initial partition 
&>° = {/£* } . . . {ISjJ, where 75% is the subset of the configurations of IS* with store d t E Secondly, 
instead of using the function F of Alg. [T] the partitions are refined by employing the function IR defined 
as follows: for all partitions j\ IR(^) ji iff 

• if Ji Yi is irredundant in 8?, then there exists f 2 s.t. j2 Y2 an< ^ 7i ^Yi- 
These two steps are the main idea behind the computation of ~/ (Alg. 12). 

Algorithm 2 CCP-Partition-Ref inement (IS) 
Initialization 

1. Compute IS* ew 

2. ^°:={75*}...{7S*}, 

Iteration 0> n+1 :=IR(J an ) 

Termination If @> n = ^> n+l then return 0* n . 



2.2 Incompleteness of Milner's saturation method in ccp 

As mentioned at the beginning of this section, the standard approach for deciding weak equivalences 
is to add some transitions to the original processes, so-called saturation, and then check for the strong 
equivalence. In calculi like CCS, such saturation consists in forgetting about the internal actions that 
make part of a sequence containing one observable action (Tab. [T]). However, for ccp this method does 
not work. The problem is that the transition relation proposed by Milner is not complete for ccp, hence 
the relation among the saturated, symbolic and irredundant equivalences is broken. In the next section 
we will provide a stronger saturation, which is complete, and allow us to use the ccp-PR to compute & s i,. 

Let us show why Milner's approach does not work. First, we need to introduce formally the concept 
of completeness for a given transition relation. 

Definition 9. We say that a transition relation Conf x Cohq x Conf is complete iff whenever (P,c\J 
a) (P',c') then there exist a,b G Co«o s.t. (P,c) -w (P',c") where aUb = a and c" Ub = c'. 

Notice that — > (i.e the reduction semantics, see Table [2]) is complete, and it corresponds to the 
second item of Lemma [T] Now Milner's method defines a new transition relation =>■ using the rules in 
Tab. [D but it turns out not to be complete. 

Proposition 1. The relation ==? defined in Table\J\is not complete. 

Proof. We will show a counter-example where the completeness for does not hold. Let P = ask a — > 
(ask f3 — > stop) and d = a U j8. Now consider the transition (P,d) =>■ (stop, d) and let us apply the 
completeness lemma, we can take c = true and a = a U /3 , therefore by completeness there must exist 

2 In fact, in order to check redundancy, some new states should be added to the initial ones (hence the subscript new in 
lS„ ew ). The details of the computation are omitted given that they are not relevant for this paper, however the interested reader 
is referred to [3] for more information. 
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(ask a (ask j3 -> stop),aUj3) (ask a — > (ask /3 -> stop),?rwe) 

i ; i« 

(ask /3 — > stop,aUj8) missing^ (ask /3 — > stop, a) 

(stop,aUj8) (stop,aUj3) 

Figure 2: Counterexample for completeness using Milner's saturation method (cycles from MR2 omit- 
ted). Both graphs are obtained by applying the rules in Tab. [T| 

(tell [d), a) > (stop,al_ld) 

(P',a) 

{te\l(d),a) >(stop,aUd) ' 

i (Q,true) P (tell(c),aUj3) — » (stop, a U j3 U c) 

(P,/rae) — ^ (P',a) 



P (tell(c),aUj3> — > (stop,aUj3 Uc) (tell(c),aUj3) > (stop, a U /3 U c) 

Figure 3: Execution of (P,true) and (Q,true) 



b and A s.t. (P, frwe) =>■ (stop,c") where X U & = a U /3 and c" U ft = <i. However, notice that the only 
transition possible is (P,true) ==> (ask j3 — > stop, a), hence completeness does not hold since there is 
no transition from (P,true) to (stop,c") for some c". Fig. |2] illustrates the problem. □ 

We can now use this fact to see why the method does not work for computing using ccp-PR. 
First, let us redefine some concepts using the new transition relation =>. Because of condition (i) in 
we need a new definition of barbs, namely weak barbs w.r.t. =>. 

Definition 10. We say y has a weak barb e w.r.t. ==> (written e ) iffy^=>* / \- e - 



sym 



Using this notion, we introduce Symbolic and Irredundant bisimilarity w.r.t. =>, denoted by 
and respectively. They are defined as in Def. [7] and [8] where in condition (i) weak barbs (Jj) are 
replaced with ^ and in condition (ii) the transition relation is now ==>. 

One would expect that since = ~ sym = ~/ then the natural consequence will be that = ~™ = 
~7^> given that these new notions are supposed to be the weak versions of the former ones when using 
the saturation method. However, completeness is necessary for proving ~. v £ = ~ 4ym = ~/, and from 
Proposition Q] we know that =>■ is not complete hence we might expect ^ ^ in f act > tne 
following counter-example shows these inequalities. 

Example 5. Let P,P' and Q as in Fig. The figure shows (P,true) and (Q,true) after we saturate 
them using Milner's method. First, notice that (P,true)& s i> (Q,true), since there exists a saturated weak 
barbed bisimulation 3%= {({P,true),{Q, true))} Did. However, (P,true) jCj^{Q,true). To prove that, 
we need to pick an irredundant transition from {Pjrue) or (Q,true) (after saturation) s.t. the other 

cannot match. Thus, take (Q,true) ^» (tell (c), a UjS) which is irredundant and given that (P,true) 
does not have a transition with a U j8 then we know that there is no irredundant bisimulation containing 
((P,true), (Q,true)) therefore (P,true) ji]^ (Q,true). Using the same reasoning we can also show that 
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(Q,true) ~^4'{P',a) = = 



cc ** — 

-"^ , _ - > (teU(rf),a) ^4 <stop,o:U^) 



is 

\ P (teU(c),aU/3 — > (stop.aUjSuc) 



a 



(P,fn/e) — =M (P',«) = 



ten(d)~o>~^^4 (stop,auJ> \ jtdl(c),au^) > <stop,au0Uc) 

(tell(c),aUj3) — I (stop, a U j3 U c) 



Of--,', , % . auB 



Figure 4: Let P = ask (a) ->• P 7 , P' = (ask (j8) ->• tell(c)) + (ask (frwe) ->• tell (J)) and Q = 
P + (ask (a Uj3) — > tell(c)). The figure represents (P,true) and (Q,true) after being saturated using 
Milner's method (cycles from MR2 ommited). The dashed transitions are the new ones added by the 
rules in Tab. Q] The dotted transition is the (irredundant) one that (Q,true) can take but (P,true) cannot 
match, therefore showing that (P,true} rff^ (Q,true) 



R-Tau — : — — R-Label ? a. R-Add ; ' ; 



y=^y y=^Y Y=$-f 



Table 4: New Labelled Transition System. 

3 Reducing weak bisimilarity to Strong in CCP 

In this section we shall provide a method for deciding weak bisimilarity in ccp. As shown in Sec. 
the usual method for deciding weak bisimilarity (introduced in Sec. |2]) does not work for ccp. We shall 
proceed by redefining ==> in such a way that it is sound and complete for ccp. Then we prove that, w.r.t. 
=^>, symbolic and irredundant bisimilarity coincide with ?a s &, i.e. = = We therefore 

conclude that the partition refinement algorithm in ||3] can be used to verify «jj w.r.t. =>. 

3.1 Defining a new saturation method for CCP 

If we analyze the counter-example to completeness (see Fig. [2]), one can see that the problem arises 
because of the nature of the labels in ccp, namely using this method (ask a — > (ask j3 — > stop), true) 
does not have a transition with a U j3 to (stop, a UjS), hence that fact can be exploited to break the 
relation among the weak equivalences. Following this reasoning, instead of only forgetting about the 
silent actions we also take into account that labels in ccp can be added together. Thus we have a new rule 
that creates a new transition for each two consecutive ones, whose label is the lub of the labels in them. 
This method can also be thought as the reflexive and transitive closure of the labeled transition relation 
This transition relation turns out to be sound and complete and it can be used to decide 

3.1.1 A new saturation method 

Formally, our new transition relation ==> is defined by the rules in Tab. [4] For simplicity, we are using the 
same arrow =>■ to denote this transition relation. Consequently the definitions of weak barbs, symbolic 
and irredundant bisimilarity are now interpreted w.r.t. => Q and respectively). 
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First, ii coincides with JJ., since a transition in ==> corresponds to a sequence of reductions. 
Lemma 2. 7 — >* / iff /. 

Using this lemma, it is straightforward to see that the notions of weak barbs coincide. 
Proposition 2. Y^ e iffYie- 

An important property is that the new labeled transition system (=^) is finitely branching. Under 
the assumption that the transition relation — > is finitely branching and that the amount of states in the 
transition system is finite, this way, we can use the fact that labels in ccp are idempotent to prove that 
==> is finitely branching. Formally: 

Proposition 3. If for any 7 we have \{(Y,a)\3a.y /}| < °° and |{/|3ai,. . .,a„.y . . . 
Y}\ < oo, then \{(Y,a)\3a.Y=^ Y}\ < °°- 

3.1.2 Soundness and Completeness 

As mentioned before, soundness and completeness of the relation are the core properties when proving 
~.s6 = ~sym = ~/- We now proceed to show that our method enjoys of these properties and they will 
allow us to prove the correspondence among the equivalences for the weak case. 

Lemma 3 (Soundness of =>). If(P,c) =^> (P',d) then (P.cUa) {P',d). 

Proof. We proceed by induction on the depth of the inference of (P,c) (P',c'). 

• Using R-Tau we have (P,c) =>■ (P,c) and the result follows directly given that a = true. 

• Using R-Label we have (P,c) =^> {P',c'} then (P,c) {P',c'). By LemmaQ] (soundness of — ►) 
we get (P,cU a) — > {P',c') and finally by rule R-Label (P,cUa) =>• {P',c'). 

• Using R-Add then we have (P,c) ^ (P',d) then (P,c) =U (P",c") =h {P',c') where j8 U A = a. 
By induction hypothesis, (P,cU/$) =*> (P",c") (1) and (P",c"uX) => (P',c f ) (2). Bymonotonic- 
ity on (1), (P,cUp UA) => (P",d'uX) and by rule R-Add on this transition and (2) then, given 
that j8 U A = a, we obtain (P, c U a) (P', d). 

□ 

Lemma 4 (Completeness of ==K). If {P,cUa) => (P 1 ',c') then there exist a and b s.t. (P,c) =^> (P',c") 
where Ol U b = a and c" U b = d . 

Proof. Assuming that (P,c\Ja) => (P',d) then, from Lemma|2] we can say that (P,c\Ja) — >* (P 1 ' ,d) 
which can be written as (P, c U a) — > . . . — > (Pi , q ) — > (P' , d } , we will proceed by induction on i. 
(Base Case) Assuming i = then (P,cUa) — > (P',d) and the result follows directly from Lemma [T] (Com- 
pleteness of — >) and R-Label . 

(Induction) Let us assume that (P,cUa) — {Pj,ci} — > (P',d) then by induction hypothesis there exist j3 
and Z/ s.t. (P,c) =^ (Pi,d{) (1) where j8 Lib' = a and c\VAb' = c,-. Now by completeness on the last 

transition (P i , / ^T) — > (P',d), there exists A and b" s.t. (Pf,^) (P',d') where A Ub" = b' 
and d' Ub" = d, thus by rule R-Label we have (P t ,d^ (P',c") (2). We can now proceed to 
apply rule R-Add on (1) and (2) to obtain the transition (P,c) ==> (P 1 \d') where a = j8 U A and 
finally take b = b", therefore the conditions hold a U b = j3 U A U b" = a and c" U Z? = c" U Z?" = c'. 

□ 
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3.2 Weak saturated bisimilarity coincides with the strong symbolic and irredundant 
bisimilarity 

We show our main result, a method for deciding ps^. Recall that is the standard weak bisimilarity 
for ccp HI, and it is defined in terms of — >, therefore it does not depend on Roughly, we start 
from the fact that ccp-PR is able to check whether two configurations are irredundant bisimilar ~/. Such 
configurations evolve according to a transition relation ( — >), then we provide a new way for them to 
evolve (=>) and we use the same algorithm to compute now Here we prove that & s b = = 

hence we give a reduction from & s b to which has an effective decision procedure. 
Given that the transition relation — > (see Lemma [U is sound and complete, the correspondence 
between the symbolic and irredundant bisimilarity follows from 0. 

Corollary 1. / iff y ^ / 

Finally, in the next two lemmata, we prove that k* s \, = 
Lemma 5. Ify^ sb / then y / 

Proof. We need to prove that^ = {((P,c), (Q, d)) \ {P,c)^ s b(Q,d}} is asymbolic bisimulation over =^>. 
The first condition (i) of the bisimulation follows directly from Proposition |2] As for (ii), let us assume 
that (P,c) ==> (P',c'} then by soundness of ==> we have (P,cUa) =^ {P',c'), now by Lemma|2]we 
obtain (P,c\J a) — y* (P',c'). Given that (P,c)& s b(Q,d) then from the latter transition we can conclude 
that (Q,dUa) — >* (Q',d') where (P' ,c')^ s b(Q' ,d'), hence we can use Lemma [2] again to deduce that 

(Q,dUa) => (Q',d'). Finally, by completeness of =>, there exist /3 and b s.t. t = (Q,d) =^> (Q',d") 
where j8 Ub = a and d" Ub = d', therefore t h D (Q,d) =^> (<2V) and (P' ,c')M(Q' ,d'). □ 

Lemma 6. Tjfy / ^erc yra s6 / 

Proo/ We need to prove that ^ = { ((P, c U a) , (Q, d U a) ) | (P, c) (2, d) } is a weak saturated bisim- 
ulation. First, condition (i) follows form Proposition |2] and (iii) by definition of M. Let us prove 
condition (ii), assume (P,cUa) — >* (P',c') then by Lemma [2] (P, c U a) ==> (P',c'). Now by com- 
pleteness of ==> there exist a and b s.t. (P,c) (P',c") where a Ub = a and c" Ub = d . Since 

(P,c)^^ l (Q,d) then we know there exists a transition t = (Q,d) =>■ (Q',d ! ) s.t. t \~d {Q,d) ==> (Q ,d ) 
and (a)(P / ,c")~^(2',<i // ), by definition of h D there exists ft' s.t. j3 Ufc' = a and d' Ub' = d" . Using 
soundness of => on f we get (Q,dUf5) =^> (Q',d') 7 thus by Lemma |2] (2,fif U j8) — (GV) and 
finally by monotonicity 

a d" 

(Q,dU$Ub'ub) — >* (Q',d'ub'ub) (1) 

a 

Then, the transition {P,cUa) — >* (P',c'} can be rewritten as (P,cUa) — >* (P',c"Ub), and using (Q]>, 
(g,rfUa) — >* (Q',d"Ub). It is left to prove that {P',c" Ub)M{Q',d" Ub) which follows from (a). □ 

Using Lemma|5]and Lemma[6]we obtain the following theorem. 

Theorem 2. (P,c)~^(Q,d) iff ' (P,c)& sb (Q,d) 

From the above results, we conclude that r^j = Therefore, given that using ccp-PR in combi- 
nation with =>■ (and JJ.) we can decide ^7^, then we can use the same procedure to check whether two 
configurations are in &> s b. 
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4 Concluding Remarks 

We showed that the transition relation given by Milner's saturation method is not complete for ccp (in 
the sense of Definition [9]). As consequence we also showed that weak saturated barbed bisimilarity rs^ 
cannot be computed using the ccp partition refinement algorithm for (strong) bisimilarity ccp wrt to 
this transition relation. We then presented a new transition relation using another saturation mechanism 
and showed that it is complete for ccp. We also showed that the ccp partition refinement can be used to 
compute « v /, using the new transition relation. To the best of our knowledge, this is the first approach 
to verifying weak bisimilarity for ccp. As future work, we plan to investigate other calculi where the 
nature of their transitions systems give rise to similar situations regarding weak and strong bisimilarity, 
in particular timed ccp (tec) [25 ], non-deterministic timed ccp (ntcc) |[23l . universal temporal ccp (utcc) 
[22] andEpistemic ccp (eccp) [16]. 
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